From: Wouter Wijngaards Date: Tue, 1 Nov 2011 09:44:40 +0000 (+0000) Subject: - documentation for new options: ssl-upstream, ssl-service-key and X-Git-Tag: release-1.4.14rc1~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a918b841fd7aae8b5afa7f3f10282a4cf666579;p=thirdparty%2Funbound.git - documentation for new options: ssl-upstream, ssl-service-key and ssl-service.pem. git-svn-id: file:///svn/unbound/trunk@2533 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 8045d4bcf..c0eb6d8d5 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 1 November 2011: Wouter - dns over ssl support as a client, ssl-upstream yes turns it on. It performs an SSL transaction for every DNS query (250 msec). + - documentation for new options: ssl-upstream, ssl-service-key and + ssl-service.pem. 31 October 2011: Wouter - dns over ssl support, ssl-service-pem and ssl-service-key files diff --git a/doc/example.conf.in b/doc/example.conf.in index ac59166ad..d8fcb56ad 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -453,6 +453,16 @@ server: # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" + # service clients over SSL (on the TCP sockets), with plain DNS inside + # the SSL stream. Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # ssl-service-key: "path/to/privatekeyfile.key" + # ssl-service-pem: "path/to/publiccertfile.pem" + + # request upstream over SSL (with plain DNS inside the SSL stream). + # Default is no. Can be turned on and off with unbound-control. + # ssl-upstream: no + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 6ba0140ba..dab5d7e7b 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -164,7 +164,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain, harden\-referral\-path, prefetch, prefetch\-key, log\-queries, hide\-identity, hide\-version, identity, version, val\-log\-level, val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, -keep\-missing, tcp\-upstream. +keep\-missing, tcp\-upstream, ssl\-upstream. .TP .B get_option \fIopt Get the value of the option. Give the option name without a trailing ':'. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index e5d930f93..07ad37c67 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -296,6 +296,25 @@ Enable or disable whether TCP queries are answered or issued. Default is yes. Enable or disable whether the upstream queries use TCP only for transport. Default is no. Useful in tunneling scenarios. .TP +.B ssl\-upstream: \fI +Enabled or disable whether the upstream queries use SSL only for transport. +Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in +TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR). +.TP +.B ssl\-service-key: \fI +If enabled, the server provider SSL service on its TCP sockets. The clients +have to use ssl\-upstream: yes. The file is the private key for the TLS +session. The public certificate is in the ssl\-service\-pem file. Default +is "", turned off. Requires a restart (a reload is not enough) if changed, +because the private key is read while root permissions are held and before +chroot (if any). Normal DNS TCP service is not provided and gives errors, +this service is best run with a different \fBport:\fR config or \fI@port\fR +suffixes in the \fBinterface\fR config. +.TP +.B ssl\-service\-pem: \fI +The public key certificate pem file for the ssl service. Default is "", +turned off. +.TP .B do\-daemonize: \fI Enable or disable whether the unbound server forks into the background as a daemon. Default is yes.